After a funky incident many years ago, when a collaborator in a European project (at a point where we were having an argument) decided to circulate one of my emails, after editing it to his liking, all my bussiness emails are now electronically signed.
My emails end up being a little more “dirtier”, with all the PGP headers and footers, but this comes at a very small inconvenience (at least to me) considering that all my email correspondance is now tamperproof.
I do get the occasional question though (apart from the complains that my emails look funny) on how to actually check that a given email is valid and the contents have not be altered.
Here are two ways on how to verify, that an email was indeed sent by me and that the contents have not been altered.
Note: What follows is going to mess with your head. PGP encryption and signing is not meant to be used by everyday people. I’ll try my best to give a gentle overview, but still, it will be messy!
Format of signed emails
The format of the emails always have the following pattern:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, This is my email. - -- Stratos Gerakakis Senior Software Engineer Planetek Hellas 44 Kifisias Avenue, Athens Space Cluster Building C, 15125 Marousi, Athens, Greece Tel +34 918 131 442 - Mob +34 684 124 497 firstname.lastname@example.org – www.planetek.gr == https://keybase.io/stratosgerakakis == -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEETENGmDUJ68gM1ayY/6ikKBcYr8cFAljAcJgACgkQ/6ikKBcY r8eQ+Af7B47OgqQJi171uMT/tndZHO8KzeGrQLUF6f8GwyrZ3Zcn2qIirOOsE5lD QtbTxIkwW4iAAFygwUoG4nOXLlDI2emJAVxksdxsTsSo+vTi99DcbDVN9Tm1SiW1 //CEL8ciHrl9SJJSCWp2hLcQn21rUKsiCzAMVF1SHMHeWUc2roYSmmBzJyver0ph YBhr0SdBzfcc+HBv0EBRURUypCtEf6Kci/D3/Zublg0m9qbg4p684IUnOvC7bjmQ qpy6D1o7OkoKeKiGFMZSqsW3DvVvyXG37FzJZK7LBsmQBMR64IOLjv/n+dNTIZ20 F/IOd5lKZlytdI2bxIHq2Zt4leXtmQ== =n7Pn -----END PGP SIGNATURE-----
They always start with a
-----BEGIN PGP SIGNED MESSAGE----- string and they
end with a
-----END PGP SIGNATURE-----
Save a file with these exact contents, including the PGP header and footer
strings, into a file, let’s say
The following instructions assume that you use a real operating system and that you have access to a capable command line shell.
Verifying with GnuPG
You will need to have the
GnuPG package installed.
You will more likely need to have my public key to verify my signature and the easiest way to get it would be with:
curl https://keybase.io/stratosgerakakis/pgp_keys.asc | gpg --import
The basic command to verify the email signature is:
gpg --verify /tmp/message.gpg
You should be getting an output like:
$ gpg --verify /tmp/message.gpg gpg: Signature made Wed Mar 8 20:59:04 2017 UTC using RSA key ID 1718AFC7 gpg: Good signature from "Stratos Gerakakis <email@example.com>" gpg: aka "[jpeg image of size 22170]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4C43 4698 3509 EBC8 0CD5 AC98 FFA8 A428 1718 AFC7
The WARNING that gpg is displaying, is because of the inherent lack of trust of my public key that you just imported. Is it really my public key that you downloaded before? Unless you personally verify with me that this is indeed my key, gpg will always warn you that this is not a trusted key.
You could sign my key, implying that you trust it, and make the warning go away, but that will mean that you already have your own set of private and public keys, and at this point I’m not going to turn this into a full gpg tutorial.
The important thing, so far, is the line above that reads
from "Stratos Gerakakis <firstname.lastname@example.org>"
If the message was tampered (try editing the
/tmp/message.gpg file) then
the response you would get would be something like:
$ gpg --verify /tmp/message.gpg gpg: Signature made Wed Mar 8 20:59:04 2017 UTC using RSA key ID 1718AFC7 gpg: BAD signature from "Stratos Gerakakis <email@example.com>"
If you had not imported my public key, as we did in the first step, then you would be getting something like:
$ gpg --verify /tmp/message.gpg gpg: Signature made Wed Mar 8 20:59:04 2017 UTC using RSA key ID 1718AFC7 gpg: Can't check signature: public key not found
Verifying with keybase
Keybase is a nice utility/service that encapsulates a lot of this raw encryption/signing black magic into an easier workflow. It also allows you to verify your self and establish a level of trust that the keys that you claim are yours are indeed yours and that you are who you claim to be. Yes, this thing with the web of trust is very paranoid…
You will need to have the keybase binaries installed from their website in order to follow through.
Once you do, then:
$ keybase pgp pull stratosgerakakis
will pull my public key, and:
$ keybase gpg verify -i /tmp/message.gpg Signature verified. Signed by stratosgerakakis 2 hours ago (2017-03-08 20:59:04 +0000 UTC). PGP Fingerprint: 4c4346983509ebc80cd5ac98ffa8a4281718afc7.
will verify that the email message is intact.
Keybase is also doing a lot of other interesting stuff and it’s worth checking it out, if you’re into that short of thing.
Automatic ways to validate email signatures
Obviously you are not meant to go through the whole procedure for all the emails. Your emailer program should be able to help verify the signatures of the emails, through the help of certain extensions/helper utilities.
Once again this is not a full tutorial on how to setup your email program (I don’t even know what program you’re using) but here is a list of programs that have capabilities to encrypt and verify emails:
Yes, unfortunately nothing in this worklfow is straightforward and it’s a big mess, requiring a lot research and field specific knowledge to understand it all. And by no means I do not claim to be an expert on any of these!